March 2011 - Posts

The Federal Bureau of Investigation is asking the public for help. In 1999, two encrypted notes were found on a murdered man. The FBI's Cryptanalysis and Racketeering Records Unit (CRRU) and the American Cryptogram Association have worked on decoding the message to no avail, and are asking (wondering?) if the public can shed any light on the situation. If you ever needed public proof on the power of data encryption to protect information, here you have it.

High School Dropout, Street Smart

First off, there is no reward. Well, no financial reward but I guess you get bragging rights. After all, you "beat" the FBI.

If you're still interested, you can find the background story here. In a nutshell, the victim was a high school dropout who's dabbled with encryption since he was a boy. The notes were found on his body, and I guess it's hoped that the notes' contents will answer who or why man was murdered, or at least where he was when it happened.

Why Go Public?

The FBI is very good at what it does:

"We are really good at what we do," said CRRU chief Dan Olson, "but we could use some help with this one."

In fact, Ricky McCormick's [the victim's] encrypted notes are one of CRRU’s top unsolved cases. "Breaking the code," said Olson, "could reveal the victim's whereabouts before his death and could lead to the solution of a homicide. Not every cipher we get arrives at our door under those circumstances."

As Cooney at networkworld.com commented, "One has to wonder though, if the FBI can't figure this out, who can?" (Maybe the boys and girls over at the NSA?)

Ultimately, the purpose behind going public seems to be this:

To move the case forward, examiners need another sample of McCormick’s coded system—or a similar one—that might offer context to the mystery notes or allow valuable comparisons to be made.

While the case has been open since 1999, it's doubtful that someone at the FBI has been working on it continuously for the past 12 years. But, that's probably not the reason why the FBI hasn't managed to crack the code. Sometimes, the code is just too powerful. For example, the one-time pad is proven to be impossible to crack, assuming it was used correctly, and chances are no amount of computing power will crack it.

There are many ways of encrypting data, some of them not as fail-proof as the one-time pad. But, just because they're not completely fail-proof doesn't mean that they're not useful. Take AES-256, for example, the algorithm powering AlertBoot endpoint security software. While it can be cracked in theory, it would require using all the available computing power in the world right now, and it would still be decades before a significant dent could be made on cracking it.

Which is what makes it an excellent tool for powering encryption software for laptops and other portable devices.

Maryville Academy, a child abuse services agency in Des Plaines, Illinois, has sent out breach notification letters to former and current clients. The disappearance of three backup hard disks prompted the notifications. It's a story that shows how physical security is less than ideal when it comes to digital records, and why organizations need to step up their game and start using disk encryption software like AlertBoot.

Nearly 20 Years' Worth of Records

The three missing hard drives (HDDs) contained, but is not limited to, names, dates of birth, identification numbers, medical information, treatment information, SSNs, and other information that is required in the process of helping abused children. It involved children who've visited Maryville between 1992 and January 25, 2011.

The breach was discovered on February 1, 2011. Three backup computer hard drives (external, portable ones) were removed from a locked storage room (chicagotribune.com calls these three drives "three files" but Maryville Academy's own public notice refers to them as HDDs).

As far as I can tell, it appears that encryption software was not used to secure the data: it wasn't mentioned in any of the public notices, plus Maryville notes that:

Maryville Academy is now in full compliance with the U.S. Department Health and Human Service's recommended procedure of using data encryption to protect client's health information. Maryville Academy has begun a practice using specialized security software to completely encrypt all records on these back-up hard drives. This encryption software scrambles the data on the back-up hard drives, which makes the information unusable in the event they are ever lost or stolen in the future. [Maryville.org, my emphases]

The implication is that Maryville waited to have a breach before using data encryption tools. It's not unusual to see such behavior. Generally, it's due to:

Denial: It won't happens to us; or,

Lack of funds: funds will be appropriated once something happens and the expense can be justified unequivocally

Physical Security is Important but also a Relic, Needs Support

Maryville's security practices were probably not too different from what many organizations use when it comes to data security: lock it up. The problem with this approach to data security is that it's literally "lock it up" and not "lock it up in a safe place."

But, even if everyone followed the latter to the letter, it bears pointing out that locking stuff up is not necessarily the best security when it comes to data security. What should one use, then? Crypto tools like AlertBoot disk encryption.

Some reply to such a recommendation with "a lock's worked for centuries. It's good enough for me." Can't argue about locks working for centuries. And, chances are they're going to be required for centuries to come. And, they do an excellent job of stopping hard drives and laptops from getting stolen. In contrast, encryption cannot prevent the physical theft of an item. Also, computer encryption -- or, rather, I should specify modern encryption -- has only existed for half a century or so, arguably.

There's a reason for the latter, though. Computers in their modern format have also existed for about half a century or so. In fact, the only reason why we have modern encryption is because of the presence of computers. Had computers not been invented -- with their ability to process incredible amounts of data at instantaneous speeds -- modern encryption wouldn't have been necessary.

It's a new world out there. It only makes sense to defend and arm yourself with the tools that were developed to combat new threats, which includes encryption for portable devices. (Of course, you also need the tools for fighting old threats as well -- those are still here as well.)

Getting your laptop stolen is lamentable (I was going to use another word starting with an "s," and this is the closest, non-objectionable word I could find). Getting it stolen from a coffee shop while you're not around is even more lamentable: not only are you out of a computer, there's always the niggling "how could I have been so stupid" thought in the back of your mind.

And then, there is the cluster-lamentableness that is the following story: an armed gang of five busts into a coffee shop and steals 20 laptops, 30 cell phones, and the till. From a data security standpoint, this just goes on to show that data security is not just about using drive encryption software (like AlertBoot) or installing antivirus software. It's also about having the appropriate backups in place.

San Isidro, Peru

The robbery took place in Peru, land of the Inca Kola, el sabor de Peru (the taste of Peru. I've never had the chance to try it, but some have likened it to another South American soda: Guarana. It's so sweet you can feel your teeth falling on the spot).

This incident, though, involves a more quotidian American staple: Starbucks. Around 8:30 pm on March 22, five unmasked, armed men busted into a Starbucks and stole valuables from patrons and the store (and employees, I assume). Once outside, they also broke into cars (the thieves also wrangled car keys), and stole some more. It doesn't sound like any vehicles were taken, which is plenty weird.

Two customers, possibly students, were struck because they "resisted giving up their laptops." I like to think it was because the laptops contained their research papers, and not because they were just upset about losing their laptops. I mean, it's kinda hard to be stupid without a really compelling reason when there's a gun pointed at your face. Losing a year worth of work is compelling enough, I'd say.

This is not the first armed robbery involving Starbucks in Peru. There was one on February 22 as well.

Data Security: Backups

I generally deal with one particular aspect of data security on this site: preventing data leakage. Data leakage can result in ID theft, financial fraud, etc., something that has attracted a lot of attention in the last 5 years or so, and has created a multi-billion dollar market (not including the illegal one). To prevent data leakage following a laptop theft, I recommend the use of encryption software. (It's not just me; most security professionals will do so as well.)

However, the loss of data itself also has its own repercussions and requires another form of data security as well: preventing data loss. For example, stories in the media abound where students, professors, and researchers beseech the return of their stolen laptops, external drives, and other devices that hold years' worth of research. Just return the data, they plead; you can keep the laptop. No charges pressed! Usually, such appeals are to no avail (I think I recall one instance where the contents of a stolen laptop were returned to a person via multiple DVDs).

What can I say? People who steal generally don't return stuff unless they think there's a good chance they'll get caught.

If you use a computer, and you're dealing with important data -- be it sensitive or otherwise -- it behooves you to make sure it's protected against leakage as well as loss.

Wheeler & Associates, CPA, PA have filed a data breach notice with the New Hampshire Attorney General's Office. A break-in at Wheeler & Associates offices resulted in the theft of computers and external hard drives. Per the letter, it sounds like hard drive encryption such as AlertBoot was not used to secure the contents of the stolen devices.

Stolen Devices Had Personal Info, Were Recovered

The stolen laptops and external hard disks contained personally identifiable information (PII) including names, SSNs, and addresses. Passwords were used (although it's not mentioned whether these were used in conjunction with encryption software), and further security was present in the form of "specialized accounting software," which could mean anything from custom made software to QuickBooks.

It should be noted that specialized application or not, data is data. Generally, a hex editor can be used to take a look at a file's contents if information is stored in plaintext form. In other words, you can't claim that data was secure because "specialized software" was required.

The good news, though, is that the stolen devices were found. Apparently, two of the devices had already been formatted and installed with new software. The thieves confessed that they did not access the information, a statement that forensic reviews backed up.

Or did it?

Forensics Can Only Do So Much

How did the forensic experts know whether information was accessed or not? Especially since data had been deleted? Well, the truth is that data is not "deleted" when you delete it. Nor is it deleted when you reformat a hard drive. Instead, both actions get rid of pointers to your data files, map used to find where specific files are, if you will. Since these pointers are missing, the computer can't find the files and, from an operational standpoint, the files are as good as deleted.

But, of course, they're actually not. In fact, there is no such thing as data deletion when it comes to electronic data. If you want to get rid of data, you've got to write over it with new data. The new data displaces the old, essentially destroying it.

So, returning to the subject at hand, what did the forensic experts do? My guess is that they used a file recovery program to recover the "deleted" files; found the appropriate computer log to find data copying/transfer activities; and looked to see if any files were copied off of the computer, per the logs.

If the logs show no such activity, then the integrity of the data is uncompromised, right?

Probably. A less probable but still possible answer is that the thieves copied off the data (say, to a USB flash drive), manipulated the appropriate logs, reformatted the devices in order to sell them, eventually got caught, and lied to save their butts, knowing that no one could prove otherwise.

Now, chances are that the above did not happen. On the other hand, there's no real way to know unless one of the thieves confesses to it.

So, how to be sure? The only way is to prevent unauthorized people from getting accessing sensitive info to begin with. For example, one could use file encryption in order to prevent a thief from accessing particularly sensitive documents. Whereas the thief can surf the internet (allowing computer tracking software to be activated) and use the computer normally, any files that are encrypted would be off-limits.

Or, if the idea of a thief using your computer disgusts you, you could get more protection in the form of whole disk encryption preventing the laptop to even boot up until the correct username and password is presented.

A small experiment by Card Protection Plan (CPP) in the UK has shown that over 50% of used phones still hold personal information. However, this doesn't appear to be due to customer indifference to data security. Rather, it's the nature of how data is stored on phones. Perhaps, the use of encryption software, not unlike AlertBoot, would be best -- with some modifications, that is.

80% Claim to Wipe Data

CPP purchased used phones on-line and other sources for testing. In total, 35 cell phones and 50 SIM cards were tested for any traces of personal data. A little over half, 54%, contained personal information, including credit card numbers, debit card numbers, PINs, and passwords. Photographs, contact information, and login details to websites were also found (presumably for smartphones).

This does not match up to claims by 81% of people who state that they wipe their phones and SIM cards before offloading them. Furthermore, 50% of used cell phone owners admitted that they found previous owners' information, which is more in line with the experiment's results.

The discrepancy between 81% and 50% is too big to ignore. What's going on? Are people lying or recollecting events incorrectly? It wouldn't be the first time that happens on a survey. But it could be something else.

How Do You Wipe Phone Data?

The study noted that "manually wiping the data was the most common method to delete information." I find that the above quote could have been better explained. I mean, what is "manually wiping data?" Is it when you go through the phone's menu, find the appropriate section, and press OK? Or is something else, like resetting back to factory settings, or what?

(Automatic wiping, of course, is pretty well-established: it's when you type in the wrong access code too many times, and the phone automatically wipes your data. Usually, some flavor of disk encryption is involved. More on this later.)

CPP hasn't revealed how they recovered the information from their purchased objects. The easiest method, obviously, is to turn on the phone and just look through the contents of the device. Another method would be to take out the storage components and use data recovery tools. This latter one, however, seems a bit far-fetched, especially when you consider that regular Joes are reporting the same data recovery rate as CPP: the former sounds more likely than the latter.

Deleted Data Could Remain Behind

So, how does one reconcile the fact that 30% or so of deleted data seems to just magically reappear on phones? Again, a possible answer is that many people who claim a phone's data is deleted were possibly lying.

Another possible answer, and a not so obvious one, may be that a phone doesn't quite do what it's supposed to do (some might say that's not surprising) when it comes to data deletion: It could very well be that people used the factory reset function, except that this did not quite erase all the data found on the phone. It's always advisable for people to go back and check to make sure that deleted data is, in fact, deleted (personally, I do this with computer hard drives as well. Once I run a "data deletion" software, I'll run a data recovery tool afterwards, just to make sure it worked).

I should note that if CPP had done some advanced testing on the phones using custom-built data recovery tools, they might have found that data recovery rates hover around the 100% mark. That's because modern phones make use of flash chips for data storage, and it's been found that it's nearly impossible to delete data in such a medium.

Interestingly enough, about the only method that could guarantee total evisceration of data is the one where you're not actively trying to erase data: automatic data wiping. There's a caveat, of course. This is only true if automatic data wiping is powered by the use of encryption (which generally is the case).

How does automatic data wiping work? Basically, your device is already encrypted to start with. When you set up your phone for data wiping, the encryption key is deleted after a set number of incorrect password guesses. Because the encryption key is required to read the encrypted content, deleting it means you (or anyone else) cannot read the data in your phone anymore. (In fact, this is one excellent method of turning your devices into an expensive brick if you don't know what you're doing.)

Granted, if you can figure out what the key is, you can recover the data. In order to prevent this from happening, encryption keys are made exceptionally long and random, ensuring that a you won't be able to guess it...unless you've got a couple of centuries to spare (24/7/365).

A CD holding the SSNs on 24,903 current and former high school students is missing. The incident occurred in January. It's not known whether the information was protected with data encryption software like AlertBoot, although it looks like "standard procedures" call for it.

However, seeing how many things didn't go right....

Education Research Center Asks for Student SSNs

As far as I can tell, this is what happened:

University of Texas at Dallas' Education Research Center (UTD) asks Laredo Independent School District (Laredo) for students' SSNs as part of a project

Laredo sends a CD full of SSNs to the Texas Education Agency (TEA), per protocol

UTD asks TEA for the information after SSNs don't arrive

TEA has no idea what UTD is talking about, starts investigation to see what's going on

Laredo provides TEA with a tracking number, finds that the CD was signed for by someone at the building where TEA is housed at

CD is missing, no one recognizes the signature

Uh-oh

Lots of Questions Generated

The incident has sparked lots of questions regarding the CD itself as well as the circumstances surrounding the request for the information. For example, was it protocol for the information to be sent via CD?

A TEA spokeswoman claims that it's not typical to send confidential data through the mail. She also noted that SSNs shouldn't have been asked for in the first place, and that whatever project UTD is involved was not approved by the TEA.

A former TEA director contradicted the spokeswoman, saying that is was perfectly legitimate to send confidential data over the mail, seeing how sometimes files are too large to send electronically. As a personal observation, that last portion cannot be true. If it fit on a CD, it can definitely be sent electronically. Sure, you can't send it as an attachment in Outlook but there are other methods. I mean, otherwise, how are people illegally downloading DVD-quality movies, right?

Regardless, it appears that sending information via mail is protocol for those involved. A UTD spokesman further corroborated the director's assertions, noting that Laredo's "standard policy would be for the diskette to be encrypted, so there was no concern of a security breach." [texastribune.org]

Quote-bomb?

George Beckelhymer, president of Laredo ISD's Board of Trustees, said he was also unaware that the information had gone missing.

"I am trying to be sure we are looking in the right spot if we are looking for blame on this," he said. "Is it really LISD’s blame? Did UTD use an inappropriate method to request the [information] and then tricked us? Does the TEA have fault that they didn't have the proper personnel to sign legitimately?" [texastribune.org, my emphasis]

Tricked? Wow, that's quite an accusation.

But, Mr. Beckelhymer does raise a number of interesting points. How come the TEA cannot identify who signed for the package? And why was a research institution asking for SSNs when they had not business asking for it?

The answer to the latter might lie in this:

Van Overschelde said in his experience, a university education research center would request information like Social Security numbers in order to track individual students throughout a study — anonymously. The TEA deidentifies the data before sending it on to researchers, he said.

"For example, if students in the district are getting eye glasses, and we want to know if recieving eyeglasses has an effect on their academic performance," he said, "we need to know the subset of kids that received eyeglasses" — and deidentified social security numbers could be used to keep track of them. [texastribune.org]

If so, why ask for SSNs? Why not ask for deidentified SSNs? And, if the researchers didn't have a method of tracking student data, how would the deidentified SSNs help them? I mean, in order to tack these pseudo-SSNs onto students, you need to identify them first.

I'd say this is the key question. If the contents of the CD were protected cryptographically, then there is no harm done. All parties involved should still look into the issue to try to figure out what went wrong, where it went wrong, and how it went wrong, and shore up any deficiencies in their security practices, but the long and short of it is that the students' SSNs are safe if encryption software was used.

Indeed, it would be enough to allow one to say the following, awful sound bite:

Beckelhymer also added that, while he doesn't like "sharing" Social Security numbers, he doesn't think the fact that they're missing is "a big deal." [texastribune.org]